Copied!

Open DNS Resolver Test

2600:1f28:365:80b0:298f:211f:6974:175f
us Ashburn, United States · Amazon.com, Inc. · Your current IP

What is an Open DNS Resolver?

A DNS resolver is the software that translates domain names like example.com into IP addresses your computer can connect to. Most DNS servers are configured to only answer queries from their own clients, for example users on the same network or the same organisation. An open resolver answers recursive queries from anyone on the internet, regardless of who is asking.

This creates a serious security problem known as DNS amplification. An attacker can send a small forged query to thousands of open resolvers, with the source address set to the victim's IP. Each resolver then fires a much larger response directly at the victim. DNS amplification can produce traffic ratios of up to 70 bytes out for every 1 byte in, making open resolvers a favourite tool for volumetric DDoS attacks.

Well-known public resolvers like 8.8.8.8 (Google) and 1.1.1.1 (Cloudflare) are technically open, but they deploy rate limiting and anomaly detection systems that make abuse impractical. An unprotected home router, a small VPS or a corporate server without recursion restrictions is an entirely different story.

How This Test Works

When you enter an IP address and click test, we run three independent probes from our Frankfurt server:

  1. Recursion test: we query test.openresolver.com TXT via the target. If the resolver fetches that record from the authoritative nameserver on your behalf, it is open. A properly configured server will return REFUSED or SERVFAIL without ever contacting the authoritative server.
  2. External resolution test: we ask the target to resolve google.com A. A hardened server returns REFUSED. An open resolver returns real IP addresses.
  3. Version disclosure test: we query version.bind TXT CHAOS. Exposing the software version (for example BIND 9.16.1) is a minor information leak that can help attackers target known vulnerabilities in that specific version.

Results are cached for 30 minutes. After applying configuration changes to your DNS server, wait a few minutes and re-run the test to confirm the fix worked.

How to Fix an Open Resolver

The fix depends on which DNS software you are running. In all cases the principle is the same: allow recursion only for trusted IP ranges such as your own network, and refuse or drop queries from everything else.

BIND (named)

Edit named.conf.options and restrict recursion to a trusted access control list:

acl "trusted" { 192.168.1.0/24; // your local network 127.0.0.1; }; options { recursion yes; allow-recursion { trusted; }; allow-query { trusted; }; };

Unbound

In unbound.conf, deny everyone by default and allow your own ranges explicitly:

server: access-control: 0.0.0.0/0 refuse access-control: 127.0.0.1/8 allow access-control: 192.168.0.0/16 allow

Windows DNS Server

Open DNS Manager, right-click your server, go to Properties and then the Advanced tab. Check "Disable recursion" or configure DNS policies to restrict which clients are allowed to use recursion.

Router or home gateway

Many consumer routers accidentally expose their DNS proxy on the WAN interface. Log into your router's admin panel and look for a setting called "DNS relay" or "WAN DNS access". Disable the DNS service on the WAN interface. If you cannot find the option, update your router firmware or contact the manufacturer.

Frequently Asked Questions

Is it illegal to run an open resolver?

Not illegal in most jurisdictions, but many ISPs and cloud providers prohibit it in their terms of service. If your server is actively participating in DDoS attacks as an open amplifier, you could face account suspension or, depending on local laws, legal liability.

My result shows OPEN but the IP is Google or Cloudflare. Is that a problem?

No. Google (8.8.8.8) and Cloudflare (1.1.1.1) are intentionally open public resolvers with sophisticated abuse prevention systems. They are not a risk in practice. Our test correctly reports them as technically open because they are, but the risk for those specific providers is negligible.

Why does the test say "No DNS Service Detected"?

The IP is either not running a DNS service on port 53, is behind a firewall that drops UDP packets to that port, or the server did not respond within 5 seconds. An unreachable result is not a vulnerability.

How often is the result cached?

Results are cached for 30 minutes on our server. If you have just made a configuration change, wait a few minutes and re-run the test to see the updated result.

What is the difference between a resolver and an authoritative server?

An authoritative DNS server holds the actual records for a domain and answers questions about that domain only. A resolver (also called a recursive resolver) is a middleman that asks other servers on behalf of clients and caches the answers. Open resolvers are dangerous because they do the recursive fetching work for anyone who asks, including attackers.